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e The presentation is provided for training purposes and does 
not form part of the formal legal and regulatory requirements 
of the HKMA. It should not be substituted for seeking detailed 
advice on any specific case from an Authorized Institution s 
(Al) / Stored Value Facility (SVF) Licensee’s own 
professional adviser. 


The HKMA is the owner of the copyright and any other rights 
in the PowerPoint materials of this presentation. These 
materials may be used for personal viewing purposes or for 
use within the Al / SVF licensee. Such materials may not be 
reproduced for or distributed to third parties, or used for 
commercial purposes, without the HKMA’s prior written 
consent. 
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Governance and Oversight 





e Variations in format 1 structure across different types of 
institutions, but should be appropriate to nature, scale and 
complexity 

> Formal structure 
> Clarity in terms of reference and responsibilities 
> Documentation of key issues discussed and decisions made 


Our observations 


e Insufficient oversight over 
> control framework developed or run by Head Office / Group 
> processes taken up by intragroup / 3 party service providers 


e Careful management of backlog required 
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e Ongoing exercise to inform the ML/TF risks of Hong Kong 
and different sectors 


e 1st HRA published in April 2018 


> already analysed how different banking products and services 
were vulnerable to ML activities 


> remain largely relevant today 


e 204 HRA (tentatively to be published in late 2021) 


> focusing on emerging threats and vulnerabilities since 2018 
> COVID-19, remote on-boarding, new payment methods etc. 


e Inputs from private sector are crucial 


> draft reports circulated for industry s comment last week 
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Understanding of Risks — Basis for RBA 





e Access to accurate, timely and objective information about 
ML/TF risks is a prerequisite for an effective risk-based 
approach (RBA) 


> We expect understanding throughout the institutions on the 
importance and use of risk information 
o target resources and drive RBA 
o effective mitigation of higher risks 
> Discussion on risks starts all examination processes 
> Relevant staff must be able to articulate what the institutions’ 
ML/TF risks are, how information is being used to update their 
understanding 


HONG KONG MONETARY AUTHORITY 
PË te NË BL Je 5 


Understanding of Risks — IRA 





Our observations 
e Lack of information and analysis to support institutional risk 


assessment (IRA) 
> Mechanical processes: insufficient quantitative and qualitative 
analysis 
> Lack of forward-looking elements 
> "Description" rather than “assessment” 


e Same control measures applied to customers with different 
risks in terms of business and transaction profile 


HONG KONG MONETARY AUTHORITY 
A UE iz ik EF PË Ji 


Customer Risk Assessment (CRA) 





e Commensurate with nature and size of institutions’ business 


e RBA should be embedded in the CRA framework design; 
institutions should articulate the rationale, how it reflects their 
risk understanding and risk appetite 


e Adequate audit trail so that rationale behind a grading could 
be explained 


Our observations 
e Unable to differentiate underlying risks of customers 


e Lack of holistic assessment, restricted range of factors taken 
into consideration 


HONG KONG MONETARY AUTHORITY 
PË te NË BL Je 7 


Transaction Monitoring (TM) 





Our observations 
e Insufficient understanding of TM system 


> Direct application of Group system without local “know how” that 
can explain results 


e No regular assessment on TM system 
> Appropriateness of parameters and scenarios used 
> Data feeds and integrity 


e Alert closure: lack of documentation of justifications 


> Unable to demonstrate the level of investigation undertaken or 
explain a particular decision / course of actions 
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Transaction Monitoring — Optimization 





e Application of optimization mechanism should be subject to 
adequate validation and scrutiny 


e Clear understanding on how the mechanism works and its 
impact 


Our observations 


e Inadequate oversight over application of optimization 
mechanism 
> Limited pre-launch assessment 


> No regular assessment on performance of TM system with 
application of optimization 
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Suspicious Transaction Reporting (STR) 





s Documentation of decisions made: assessment of the risks 
and mitigating measures 


e Mechanism to track completion of post-STR review against 
timeline prescribed by the institution 


Our observations 
e Inadequate documentation 


> Decision making processes: rationale for reporting or not 
reporting STRs 


e Post-STR reviews 
> Unclear rationale of mitigating measures applied 
> Delay in review 
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Availability and Access to Quality Data 





e Direct bearing on the effectiveness of control systems 


> Better data quality — help reduce false alarms which do not 
reflect real risks 


> Access to and analyse data from different sources — build a more 
comprehensive picture on risk profile which facilitate targeted 
approach to combat ML/TF 


Our observations 
e Inaccurate and inconsistent data in institutions’ system 


> Input errors, insufficient guidance of data requirements, poor 
change management 


e Limited use of data and information from different sources 
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Thank You 
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